[LON-CAPA-cvs] cvs: loncom /cgi lonauthcgi.pm ping.pl /lonnet/perl lonnet.pm
raeburn
raeburn at source.lon-capa.org
Mon Oct 17 13:23:29 EDT 2011
raeburn Mon Oct 17 17:23:29 2011 EDT
Modified files:
/loncom/cgi lonauthcgi.pm ping.pl
/loncom/lonnet/perl lonnet.pm
Log:
- Rights to run /cgi-bin/ping.pl on any server in the cluster, from any other host
in the cluster.
- For scripts using lonauthcgi::check_ipbased_access(), access permitted for both 127.0.0.1
and also if remote IP is same as IP of host server.
- check_domain_ip() - new routine: allows access to scripts from any server which belongs
to the same domain as the host server.
- update POD for check_ipbased_access().
- Add new global hash: Apache::lonnet::managerstab to store contents of:
/home/httpd/lonTabs/managers.tab, loaded within BEGIN {} block.
- No automatic access to toggledebug and takeoffline items from server listed in
managers.tab (unlike other keys in %serverstatus_titles).
-------------- next part --------------
Index: loncom/cgi/lonauthcgi.pm
diff -u loncom/cgi/lonauthcgi.pm:1.7 loncom/cgi/lonauthcgi.pm:1.8
--- loncom/cgi/lonauthcgi.pm:1.7 Fri Oct 14 20:50:54 2011
+++ loncom/cgi/lonauthcgi.pm Mon Oct 17 17:23:25 2011
@@ -1,7 +1,7 @@
#
# LON-CAPA authorization for cgi-bin scripts
#
-# $Id: lonauthcgi.pm,v 1.7 2011/10/14 20:50:54 raeburn Exp $
+# $Id: lonauthcgi.pm,v 1.8 2011/10/17 17:23:25 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -32,7 +32,7 @@
=head1 NAME
-loncgi
+lonauthcgi
=head1 SYNOPSIS
@@ -59,7 +59,6 @@
use Apache::lonnet;
use Apache::lonlocal;
use LONCAPA;
-use LONCAPA::Configuration();
#############################################
#############################################
@@ -74,11 +73,16 @@
$ip, the IP address of the client requesting the page.
Returns: 1 if access is permitted for the requestor's IP.
- Access is allowed if on of the following is true:
- (a) the requestor IP is the loopback address
- (b) Domain configurations for domains hosted on this server include
+ Access is allowed if one of the following is true:
+ (a) the requestor IP is the loopback address.
+ (b) the requestor IP is the IP of the current server.
+ (c) the requestor IP is the IP of a manager,
+ if the page to view is not "takeoffline" or "toggledebug"
+ (d) the requestor IP is the IP of a server belonging
+ to a domain included in domains hosted on this server.
+ (e) Domain configurations for domains hosted on this server include
the requestor's IP as one of the specified IPs with access
- to this page. (does not apply to 'ping' page type)
+ to this page. (not applicable to 'ping' page).
=cut
@@ -90,13 +94,24 @@
if (!defined($ip)) {
$ip = $ENV{'REMOTE_ADDR'};
}
- if (($page ne 'lonstatus') && ($page ne 'serverstatus')) {
- if ($ip eq '127.0.0.1') {
+ if ($ip eq '127.0.0.1') {
+ $allowed = 1;
+ return $allowed;
+ } else {
+ my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
+ my $host_ip = &Apache::lonnet::get_host_ip($lonhost);
+ if (($host_ip ne '') && ($host_ip eq $ip)) {
$allowed = 1;
return $allowed;
}
}
if (&is_manager_ip($ip)) {
+ unless (($page eq 'toggledebug') || ($page eq 'takeoffline')) {
+ $allowed = 1;
+ return $allowed;
+ }
+ }
+ if (&check_domain_ip($ip)) {
$allowed = 1;
return $allowed;
}
@@ -123,40 +138,82 @@
#############################################
#############################################
+=pod
+
+=item is_manager_ip()
+
+Inputs: $remote_ip, the IP address of the client requesting the page.
+
+Returns: 1 if the client IP address corresponds to that of a
+ machine listed in /home/httpd/lonTabs/managers.tab
+
+=cut
+
+#############################################
+#############################################
sub is_manager_ip {
my ($remote_ip) = @_;
return if ($remote_ip eq '');
my ($directory,$is_manager);
- my $config=LONCAPA::Configuration::read_conf();
- if (ref($config) eq 'HASH') {
- $directory = $config->{'lonTabDir'};
+ foreach my $key (keys(%Apache::lonnet::managerstab)) {
+ my $manager_ip;
+ if ($key =~ /:/) {
+ my ($cluname,$dnsname) = split(/:/,$key);
+ my $ip = gethostbyname($dnsname);
+ if (defined($ip)) {
+ $manager_ip = inet_ntoa($ip);
+ }
+ } else {
+ $manager_ip = &Apache::lonnet::get_host_ip($key);
+ }
+ if (defined($manager_ip)) {
+ if ($remote_ip eq $manager_ip) {
+ $is_manager = 1;
+ last;
+ }
+ }
}
- if (defined($directory)) {
- if (open(MANAGERS, "$directory/managers.tab")) {
- while(my $host = <MANAGERS>) {
- chomp($host);
- next if ($host =~ /^\#/);
- my $ip = &Apache::lonnet::get_host_ip($host);
- if (defined($ip)) {
- if ($remote_ip eq $ip) {
- $is_manager = 1;
- last;
- }
- } else {
- my ($cluname,$dnsname) = split(/:/, $host);
- $ip = gethostbyname($dnsname);
- if (defined($ip)) {
- my $hostip = inet_ntoa($ip);
- if ($hostip = $remote_ip) {
- $is_manager = 1;
+ return $is_manager;
+}
+
+#############################################
+#############################################
+
+=pod
+
+=item check_domain_ip()
+
+Inputs: $remote_ip, the IP address of the client requesting the page.
+
+Returns: 1 if the client IP address is for a machine in the cluster
+ and domain in common for client machine and this machine.
+
+=cut
+
+#############################################
+#############################################
+sub check_domain_ip {
+ my ($remote_ip) = @_;
+ my %remote_doms;
+ my $allowed;
+ if ($remote_ip ne '') {
+ if (&Apache::lonnet::hostname($remote_ip) ne '') {
+ my @poss_domains = &Apache::lonnet::current_machine_domains();
+ if (@poss_domains > 0) {
+ my @remote_hosts = &Apache::lonnet::get_hosts_from_ip($remote_ip);
+ foreach my $hostid (@remote_hosts) {
+ my $hostdom = &Apache::lonnet::host_domain($hostid);
+ if ($hostdom ne '') {
+ if (grep(/^\Q$hostdom\E$/, at poss_domains)) {
+ $allowed = 1;
+ last;
}
}
}
}
- close(MANAGERS);
}
}
- return $is_manager;
+ return $allowed;
}
#############################################
@@ -178,14 +235,12 @@
the requestor as one of the named users (username:domain) with access
to the page.
- In the case of requests for the 'ping' page, access is also allowed if
- at least one domain hosted on requestor's server is also hosted on this server.
-
In the case of requests for the 'showenv' page (/adm/test), the domains tested
are not the domains hosted on the server, but instead are a single domain -
the domain of the requestor. In addition, if the requestor has an active
Domain Coordinator role for that domain, access is permitted, regardless of
the requestor's current role.
+
=cut
#############################################
@@ -195,16 +250,6 @@
my $allowed;
if ($Apache::lonnet::env{'request.role'} =~ m{^su\./}) {
$allowed = 1;
- } elsif ($page eq 'ping') {
- my @poss_domains = &Apache::lonnet::current_machine_domains();
- my @hostids= &Apache::lonnet::get_hosts_from_ip($ENV{'REMOTE_ADDR'});
- foreach my $hostid (@hostids) {
- my $hostdom = &Apache::lonnet::host_domain($hostid);
- if (grep(/^\Q$hostdom\E$/, at poss_domains)) {
- $allowed = 1;
- last;
- }
- }
} else {
my @poss_domains;
if ($page eq 'showenv') {
@@ -251,7 +296,7 @@
=pod
-=unauthorized_msg()
+=item unauthorized_msg()
Inputs: $page, the identifier of the page to be viewed,
can be one of the keys in the hash from &serverstatus_titles()
@@ -321,6 +366,10 @@
return \%titles;
}
+=pod
-1;
+=back
+=cut
+
+1;
Index: loncom/cgi/ping.pl
diff -u loncom/cgi/ping.pl:1.8 loncom/cgi/ping.pl:1.9
--- loncom/cgi/ping.pl:1.8 Thu Dec 25 01:56:03 2008
+++ loncom/cgi/ping.pl Mon Oct 17 17:23:25 2011
@@ -1,6 +1,6 @@
#!/usr/bin/perl
# ping cgi-script
-# $Id: ping.pl,v 1.8 2008/12/25 01:56:03 raeburn Exp $
+# $Id: ping.pl,v 1.9 2011/10/17 17:23:25 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -38,19 +38,28 @@
&main();
sub main {
- if (!&LONCAPA::lonauthcgi::check_ipbased_access('ping')) {
- if (!&LONCAPA::loncgi::check_cookie_and_load_env()) {
- return;
+ my $remote_ip = $ENV{'REMOTE_ADDR'};
+ my $allowed;
+ my @hosts = &Apache::lonnet::get_hosts_from_ip($remote_ip);
+ if (@hosts > 0) {
+ $allowed = 1;
+ } elsif (&LONCAPA::lonauthcgi::check_ipbased_access('ping',$remote_ip)) {
+ $allowed = 1;
+ } elsif (&LONCAPA::loncgi::check_cookie_and_load_env()) {
+ if (&LONCAPA::lonauthcgi::can_view('ping')) {
+ $allowed = 1;
}
-
- if (!&LONCAPA::lonauthcgi::can_view('ping')) {
- return;
+ }
+ if ($allowed) {
+ my $testhost=$ENV{'QUERY_STRING'};
+ $testhost=~s/\W//g;
+ if (&Apache::lonnet::hostname($testhost) ne '') {
+ print &Apache::lonnet::reply('ping',$testhost)."\n";
+ } else {
+ print 'unknown_host';
}
+ } else {
+ print 'forbidden';
}
-
- my $testhost=$ENV{'QUERY_STRING'};
- $testhost=~s/\W//g;
-
- print &Apache::lonnet::reply('ping',$testhost)."\n";
return;
}
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1137 loncom/lonnet/perl/lonnet.pm:1.1138
--- loncom/lonnet/perl/lonnet.pm:1.1137 Mon Oct 17 15:35:07 2011
+++ loncom/lonnet/perl/lonnet.pm Mon Oct 17 17:23:29 2011
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1137 2011/10/17 15:35:07 raeburn Exp $
+# $Id: lonnet.pm,v 1.1138 2011/10/17 17:23:29 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -76,7 +76,8 @@
use Image::Magick;
use vars qw(%perlvar %spareid %pr %prp $memcache %packagetab $tmpdir
- $_64bit %env %protocol %loncaparevs %serverhomeIDs %needsrelease);
+ $_64bit %env %protocol %loncaparevs %serverhomeIDs %needsrelease
+ %managerstab);
my (%badServerCache, $memcache, %courselogs, %accesshash, %domainrolehash,
%userrolehash, $processmarker, $dumpcount, %coursedombuf,
@@ -10984,6 +10985,22 @@
}
}
+# ---------------------------------------------------------- Read managers table
+{
+ if (-e "$perlvar{'lonTabDir'}/managers.tab") {
+ if (open(my $config,"<$perlvar{'lonTabDir'}/managers.tab")) {
+ while (my $configline=<$config>) {
+ chomp($configline);
+ next if ($configline =~ /^\#/);
+ if (($configline =~ /^[\w\-]+$/) || ($configline =~ /^[\w\-]+\:[\w\-]+$/)) {
+ $managerstab{$configline} = 1;
+ }
+ }
+ close($config);
+ }
+ }
+}
+
# ------------- set up temporary directory
{
$tmpdir = LONCAPA::tempdir();
More information about the LON-CAPA-cvs
mailing list